
COMING SOONIntermediatePRO
Exchange ProxyShell: Domain-Wide Ransomware
An internet-facing Exchange server falls to ProxyShell, dropping ASPX web shells that run as SYSTEM. The attacker re-enables a built-in account, dumps LSASS with a Windows DLL, tunnels out with Plink and FRP, moves laterally over RDP, and encrypts the domain with its own BitLocker and DiskCryptor, no ransomware binary in sight. Work the Exchange logs, the endpoint process tree, and the perimeter traffic to reconstruct the intrusion.
1h
6 tasks
50 points
ProLaunches in 5 days
Jul 7, 2026
View Pro plansTuesday, July 7, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
SIEMXDRFirewall
What you'll investigate
6 objectives unlock when this operation goes live.
1Find the foothold
2Name the implant
3Catch the privileged account
4Expose the credential theft
5Trace the tunnel out
6Classify the impact
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 7, 2026, you can jump straight in.
Get Started FreeNo credit card required — free forever